Introduction:

SKV Consulting is a Premier Consulting providing Enterprise solutions on designing Microsoft

Technologies. SKV follows Microsoft standard frameworks and proven methodologies in designing

and implementing the Infrastructure solutions.

SKV has successfully performed Enterprise Infrastructure transformations including both Desktop

transformations and Server transformations. SKV has proven track record of quality and delivery

methodologies and provide value to its customers by reducing the Operations costs and increase the

revenue.

1 Summary TLC is built on CISCO and Microsoft stack of Network devices and Servers. There are two physical

sites configured which are separated by CISCO Routers and an Hybrid infrastructure configured for

Servers and Virtualization stack.

Our proposal to TLC with the following services required:

1) Network Infrastructure validation

SKV Consulting will perform Layer 2 Network analysis and Layer 3 Network analysis. SKV Consulting will follow

industry Operations Frameworks and proven monitoring tools and baselines to provide detail report to TLC Corp.

SKV will validate VLAN trunks, Port aggregation, Bandwidth management and Routing Protocol Design

2) Active Directory Site Validation

SKV Consulting will validate Active Directory Site infrastructure and run different Microsoft Tools to examine the

Active Directory replication health. SKV Consulting will validate Site design and report the information to TLC

Corp.

3) Remote Access

SKV Consulting is spread across Australia and require Consultants to have Remote access to the Data Center

Servers. Consultants would require RDP access and necessary user accounts with appropriate privileges to run

and report the data.

2 Solution Overview

Introduction:

Existing TLC Data Center is hosted in Sydney and managed by In-House staff. TLC has 2 offices (

Sydney and Melbourne ) each of the sites are hosted on specific datacenters and connected with high

speed networks.

TLC users access Financial application which is hosted on mission critical servers connected with

high speed networks. Users access resources across sites which includes Shared Folders, Backup,

Print Services etc. Front End application connects with back end database and requires fast network

to support real time data read / write.

In this proposal, SKV Corp will perform initial assessment of both Network and Microsoft Active

Directory infrastructure and SKV Technology Consultants will run different Health tools and

Baseline metrics to validate the environment.

TLC is using local ISP for internet connectivity of 4 MBPS link. TLC Sites are configured with Site-

Site VPN connection. Each Datacenter is a replica and has the below infrastructure.

TLC Network Infrastructure Description

Cisco Catalyst 3560 x 2 Network Resiliency and Security

Cisco 7600 Router x 2 Network Routing

Cisco Fabric Interconnect x 2 Management Interface

Cisco UCS Blade x 2 Server virtualization

Physical Servers VLAN Descrption

Microsoft SQL Server VLAN 1 SQL server installed on HP Pro Server

FICO Server VLAN 1 Financial Application running on the server

UNIX Server VLAN 1 Hosted on HP Pro Server

Hyper-v Server Hosts Virtual Networks Virtualization tier

Symantec Backup Server VLAN 1 Backup server

Microsoft Infrastructure Components

VLAN Descrption

Primary Domain Controller VLAN 1 Forest Root Domain

Additional Domain Controller VLAN 1 Secondary Domain Controller with DNS

Microsoft Exchange Server VLAN 1 Microsoft Exchange Server 2010

Microsoft SharePoint Server 2010 VLAN 2 Microsoft Sharepoint Services

Microsoft System Center Operations Manager

VLAN 2 Servers Monitoring Enterprise solution

Microsoft System Center Configuration Manager

VLAN2 Patch Management and Software Distribution

DNS Namespace Description Domain Controllers

Local TLC.LOCAL FRD1.TLC. LOCAL

FRD2.TLC.LOCAL

Global TLC.com Hosted by ISP

Solution Diagram:

Production Environment/UCS Blade


Fabric

Extender

Fabric

Extender

Fabric Interconnect 1 Fabric Interconnect 2

Port Port

Port Port

VLAN1-ProdVLAN2-Prod

Router 3750x

3560

HY

PER-V

HY

PER-V

3560

ISP

SAN Storage replication

Hybrid Cloud

SQL Server,Hyper-v,UNIX,Symantec

Servers

DC, ADC,Exchange


Hybrid Cloud

SharePoint,SCOM,SCCM



Fab

ric Extend

er

Fabric

Extender

Fabric Interconnect 1 Fabric Interconnect 2

Port Port

Port Port

VLAN1-ProdVLAN2-Prod

Router 3750x

3560

HYPER

-V

HY

PER-V

3560

ISP


Hybrid Cloud

SQL Server,Hyper-v,UNIX,Symantec

Servers

DC, ADC,Exchange


Hybrid Cloud

SharePoint,SCOM,SCCM

10 MBPS WAN

Connection

Melbourne Data CenterSydney Data Center

Each Data Center consist of 5 physical servers configured on HP Pro Servers. TLC Corp uses

Microsoft Hyper-v as their virtualization stack hosted on Windows Server 2008 R2 Enterprise

Operating Systems. There are two VLANs configured to host different Application Servers with a DMZ

network configured with Microsoft ForeFront , Blue Coat Servers respectively. The second data

center acts as High Availability and DR site with the exact replica of servers configured.

Users are located within Sydney and TLC Corp will be expanding their infrastructure base to Tokyo

this year. Primary Sydney site hosts Microsoft FSMO roles with Microsoft Exchange 2010 Server and

Microsoft System Center Operations Manager 2008 R2 supporting the entire infrastructure for

critical alerts and monitoring.

Microsoft Hyper-v Server hosts Virtual Servers which communicates with VLAN 1 and VLAN 2 and

with the Client network which is out of scope for SKV Consulting to monitor. In addition Physical to

Virtual migration is proposed by Customer with the view of Virtualizing the entire Data Center by

end of this year.

Scope of Work

Following are the requirements gathered after infrastructure analysis and discussion with

Architectural group.

SKV Tasks:

Detail Network Analysis which includes both Layer 2 and Layer 3 will be performed by SKV

Consultants.

Automated solutions will be proposed based on the assessment

Executes different tools and document the analysis

Suggest Architectural changes on Network and Microsoft Active directory Sites

Phase 1 – Start of the Project

SKV Project Managers will be involved in discussion with TLC Corp to identify the activities and

timeframes. Detailed project plan will be submitted to the TLC

Phase 2 – Network Assessment

SKV Consultants will perform detail analysis of Layer 2 and Layer 3 networks which follows detail

discussions with TLC Network Staff to understand their existing infrastructure.

Phase 3 – Active Directory Assessment

SKV Consultants will perform detail analysis of existing Active Directory Site structure and execute

Microsoft Tools to record infrastructure details. Discussions will be made with TLC Active Directory

Staff

Assumptions:

1. Data center hosting is performed by TLC Employees

2. Configuration of CISCO Switches, VLAN configuration is performed by TLC

3. Provision of Internet Protocol Addresses are provided to SKV Consultants by TLC

4. Firewall exception rules are performed by TLC

5. Server Maintenance is performed by TLC which includes Server Patch Management

6. Storage provisioning is performed by TLC which includes provision of LUNs and Configuration

of ISCSI on Windows Servers.

7. Communications between VLANs is provisioned by TLC

8. DR procedures are managed by 3rd party vendor

9. Private Namespace is hosted by TLC

10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by TLC which

includes Group Policy creation and Service accounts provisioning.

11. Network diagram is provided by TLC Corp

12. Access to Network devices which includes Layer 2 , Layer 3 are provisioned by TLC

13. Access to execute commands on Network devices are provisioned by TLC

14. Access to all the required Subnets are provisioned by TLC

15. Access to second data center is provisioned by TLC

16. Active Directory infrastructure diagram is provided by TLC

17. Access to execute commands on Domain Controllers are provided by TLC

18. Access to Active Directory Sites and Subnets is provisioned by TLC

19. Access to DNS is provisioned by TLC

20. This document will not provide detail step-step visual information about the configuration of

DNS server or Domain Controllers for TLC.

21. This document will not cover step-step information about installing and configuring of Domain

Controllers

22. This document will provide best practices to validate the existing Network infrastructure and

Active Directory Site Implementation.

Network Assessment:

SKV will be performing the following Network assessment on TLC Corp

Network Monitoring Overview

Monitor the Access Layer for Network connectivity. Monitor Voice convergence, Wireless

connectivity and verify the logs. Review and validate Default gateway redundancy using dual

connection from switches.

Validate the convergence and verify only the required access is provisioned for wireless

devices. Validate DHCP security to ensure no Snooping occurs, followed by ARP inspection.

Test Virtual Router Redundancy Protocol and First Hop Redundancy Protocol (FHRP) for

successful failover and redundancy. HSRP election process validation is the key in

monitoring, in order to validate the HSRP, SKV consultant should perform VM Live Migration.

Report about the layer 2 extensions, VPLS, Fabric Path and TRILL. HSRP election process

validation is the key in validation.

Validating Layer 3 switching environment includes verifying for packet manipulation

(checksum access). SKV Consultant will validate for Gigabit density and LAN –WAN

convergence.

Validate Trunk Configuration by ensuring 802.1Q trunks are used, set DTP mode to

desirable, set DTP mode to encapsulation.

Disable Trunks on host ports and set Native VLAN to unused VLAN.

Validate Dynamic Trunk Protocol, check for the Permanent trunk mode, validate Port which is

configured as Desirable, verify for ISL encapsulation on the trunk link.

The above tests will validate the 3 major layers (Access, Distribution and Core layers). Further

monitoring activities will be performed based on the client request.

Active Directory Validation

SKV will perform below tasks to validate Active Directory Site Infrastructure for TLC.

a) Validate Site Objects and report errors to TLC

b) Validate Subnet Objects and report errors to TLC

c) Validate Site and Subnet Associations and report inconsistencies to TLC

d) Validate and verify DNS site information and report misconfigurations to TLC

e) Validate Logon requests association against the proper Active Directory Sites

f) Validate Site Replication and report back to TLC

g) Verify Clients DNS IP address associations

Active Directory Monitoring

1) Ensure the Static IP address are configured on the Domain Controllers, validate the subnet

mask and Default gateway configured on the server – Strictly no multi home networks on

Domain Controllers.

2) Ensure the Network Ports are opened for various Active directory and DNS communications

Protocol and

Port AD and AD DS Usage Type of traffic

TCP and

UDP 389

Directory, Replication, User and

Computer Authentication, Group Policy,

Trusts

LDAP

TCP 636



Trusts

LDAP SSL

TCP 3268



Trusts

LDAP GC

TCP 3269



Trusts

LDAP GC SSL

TCP and

UDP 88

User and Computer Authentication,

Forest Level Trusts Kerberos

TCP and

UDP 53

User and Computer Authentication,

Name Resolution, Trusts DNS

TCP and

UDP 445

Replication, User and Computer

Authentication, Group Policy, Trusts

SMB,CIFS,SMB2, DFSN, LSARPC,

NbtSS, NetLogonR, SamR, SrvSvc

TCP 25 Replication SMTP

TCP 135 Replication RPC, EPM

TCP

Dynamic


Authentication, Group Policy, Trusts

RPC, DCOM, EPM, DRSUAPI,

NetLogonR, SamR, FRS

TCP 5722 File Replication RPC, DFSR (SYSVOL)

UDP 123 Windows Time, Trusts Windows Time

TCP and

UDP 464


Authentication, Trusts Kerberos change/set password

UDP

Dynamic Group Policy DCOM, RPC, EPM

UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS

Datagram Service

TCP 9389 AD DS Web Services SOAP

UDP 67 and

UDP 2535

DHCP

Note

DHCP is not a core AD DS service but it is often present in many AD DS deployments.

DHCP, MADCAP

UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name

Resolution

TCP 139 User and Computer Authentication,

Replication

DFSN, NetBIOS Session Service,

NetLogon

3) Verify that the disk partition is formatted with NTFS

4) Verify the DNS Zone TLC.LOCAL and corresponding folders ( MSDCS, TCP, UDP, Sites )are

created and populated with

a) Kerberos SRV records pointing to Domain Controller

b) LDAP record pointing to Domain Controller

c) _Kpasswd SRV record pointing to Domain Controller

5) Ensure the Dynamic Updates are configured on the DNS zone

6) Enable Aging and Scavenging on the DNS Server

7) Ensure the Forwarding timeout is set to 6 seconds

8) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients

can find Resource records on either of the Domains.

9) Configure the DNS reverse lookup zones for the specific IP subnets.

10) Ensure the DNS host file on the DNS server should be empty

11) Ensure the recursion timeout must be greater than the forwarding timeout

12) Ensure Replication between sites are using RPC over IP

13) Understand whether the Network is fully routed vs hub and spoke configurations. If the

configuration is Hub and Spoke, careful understanding of Networked WAN Sites is required.

Site Link bridges are required only for the sites which has Domain Controllers configured.

Again careful understanding is required to propose an installation of Domain Controllers in a

Physical Site. If there are adjacent sites with different domain, then there is no need to create

site link between desperate Domains.

14) Validate BASL ( Bridge All Site Links ) against the network. BASL should be enabled /

switched on if the network is routable ( Domain Controllers should be able to communicate

with each other ). If the Domain Controllers logs Event ID 1311, ensure that all the sites (

WAN ) / Site links are routable , validate the site link bridges and remove any unrouted WAN

links from the AD Sites and Services.

15) For any given Active Directory Site with a Global Catalog, all the GC’s should be used for

replication.

Validation Tools and Analysis:

Microsoft Active Directory Sites are designed to map the Physical Infrastructure with Logical

Infrastructure and assist logon / Replication within Active Directory Domain Controllers located

across multiple regions. Replication is key in managing the data / object consistency across the

Domains located within Sites, across sites ( Inter-site ). Please note that replication within sites is

always fast when compared to the replication occurring across WAN which uses site link objects.

Knowledge Consistency Checker [kcc] Monitoring:

KCC is responsible for creating inbound connections between domain controllers which finally forms

a replication topology ( Inter-site). Initial nomination of the Bridgehead server takes upto 2 hours

and even in the event of re-nomination ( when customer wants to re-designate Bridgehead Server ) ,

the process takes 2 hours or more to assign a BH server. KCC builds the replication topology with

the help of CNAME record and determines inbound and outbound Domain Controller to create the

Inbound connections.

Intrasite topology is built automatically by KCC, it’s a ring topology. Replication between sites are

configured with the help of Site Link objects. KCC while building the replication topology contacts

the domain controller within the site and the Domain Controller should respond within the 0 failed

attempts which is, when KCC polls the Domain Controller, it should respond immediately. For

replication between sites, the default time is 2 hours.

Domain Controller KCC Initial Replication with intrasite replication partners

(5 minutes )

Note: Ensure all the services ( DNS/ DHCP ) starts before KCC starts its initial replication.

Test Case 1:

SKV consultants to perform negative test case scenarios to verify if the KCC automatically rebuilds

the topology by shut down the preferred Bridgehead server and validate if KCC automatically elects

the Bridgehead server and rebuilds the topology.

Test Case 2:

Disable Inter-site topology calculation on the Domain Controller of a given site and re-enable it at a

given period. This will ensure the replication load is managed during off peak hours and reduce

network traffic. Use the following link http://support.microsoft.com/kb/242780 to disable the inter-

site topology.

Test Case 3:

Disable Inter-site topology and manage them manually. This requires Administrators to understand

Corporate Network Topology and designate manual Site link connections. This activity also include

Administrators to provide redundant manual connections which helps KCC to recalculate if a

specific Domain Controller goes down.

Tools: RepAdmin

http://support.microsoft.com/kb/242780

Conclusion: This document explains monitoring guidelines for Network and Active Directory site

structure. This document explains different monitoring measures for Layer 2 , Layer 3 and general

networking for CISCO devices and explains different monitoring metrics for Active Directory site

implementation.

network -ad design plan

Documents

skv proposal

tlc sites

skv corp

remote access skv consulting

tlc users

summary tlc

skv technology consultants

network analysis